I have been trying to write a watcher for when my logstash instances go down. Obviously I cant write one to query a field, but need to write it for the lack of data for a given index for a period of time. I have tried several iterations, but none of these work.
"query": {
"bool": {
"must": [
{
"query_string": {
"default_field": "host",
"query": "*MON011080*"
}
},
{
"query_string": {
"default_field": "host",
"query": "*MON011080*"
}
}
],
"filter": {
"range": {
"@timestamp": {
"from": "now-8m",
"to": "now"
}
}
}
}
}
Also tried it with exists, but that doesnt seem to work either. Can anyone steer me in the right direction?